ctakes-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chen, Pei" <Pei.C...@childrens.harvard.edu>
Subject RE: [SECURITY] Frame injection vulnerability in published Javadoc
Date Fri, 21 Jun 2013 18:04:42 GMT
FYI
I ran the patch inline in the existing apidocs to update the current 2 hosted instances on:
http://ctakes.apache.org/apidocs/

I presume once we update to java 7, and have an automated javadoc generation in maven, otherwise
we should be good to go.
--Pei

> -----Original Message-----
> From: Andy McMurry [mailto:mcmurry.andy@gmail.com]
> Sent: Thursday, June 20, 2013 10:49 PM
> To: dev@ctakes.apache.org
> Subject: Re: [SECURITY] Frame injection vulnerability in published Javadoc
> 
> FYI: Java 6 is END OF LIFE.
> I know this also applies to Java 7, just an FYI.
> 
> http://developers.slashdot.org/story/13/06/20/1819245/java-6-eold-by-
> oracle
> 
> 
> 
> On Jun 20, 2013, at 2:40 PM, Pei Chen <chenpei@apache.org> wrote:
> 
> > FYI
> > We should probably update our javadocs for the next release...
> >
> > ---------- Forwarded message ----------
> > From: Mark Thomas <markt@apache.org>
> > Date: Thu, Jun 20, 2013 at 4:29 AM
> > Subject: [SECURITY] Frame injection vulnerability in published Javadoc
> > To: committers@apache.org
> > Cc: root@apache.org
> >
> >
> > Hi All,
> >
> > Oracle has announced [1], [2] a frame injection vulnerability in
> > Javadoc generated by Java 5, Java 6 and Java 7 before update 22.
> >
> > The infrastructure team has completed a scan of our current project
> > websites and identified over 6000 instances of vulnerable Javadoc
> > distributed across most TLPs. The chances are the project(s) you
> > contribute to is(are) affected. A list of projects and the number of
> > affected Javadoc instances per project is provided at the end of this
> > e-mail.
> >
> > Please take the necessary steps to fix any currently published Javadoc
> > and to ensure that any future Javadoc published by your project does
> > not contain the vulnerability. The announcement by Oracle includes a
> > link to a tool that can be used to fix Javadoc without regeneration.
> >
> > The infrastructure team is investigating options for preventing the
> > publication of vulnerable Javadoc.
> >
> > The issue is public and may be discussed freely on your project's dev list.
> >
> > Thanks,
> >
> > Mark (ASF Infra)
> >
> >
> >
> > [1]
> > http://www.oracle.com/technetwork/topics/security/javacpujun2013-
> 18998
> > 47.html [2] http://www.kb.cert.org/vuls/id/225657
> >
> > Project                 Instances
> > abdera.apache.org       1
> > accumulo.apache.org     2
> > activemq.apache.org     105
> > any23.apache.org        13
> > archiva.apache.org      4
> > archive.apache.org      13
> > aries.apache.org        7
> > avro.apache.org         23
> > axis.apache.org         5
> > beehive.apache.org      16
> > bval.apache.org         12
> > camel.apache.org        786
> > cayenne.apache.org      4
> > chemistry.apache.org    6
> > click.apache.org        3
> > cocoon.apache.org       6
> > commons.apache.org      34
> > continuum.apache.org    9
> > creadur.apache.org      19
> > crunch.apache.org       4
> > ctakes.apache.org       2
> > curator.apache.org      4
> > cxf.apache.org          6
> > db.apache.org           39
> > directory.apache.org    4
> > empire-db.apache.org    1
> > felix.apache.org        5
> > flume.apache.org        5
> > geronimo.apache.org     241
> > giraph.apache.org       6
> > gora.apache.org         3
> > hadoop.apache.org       21
> > hbase.apache.org        2
> > hive.apache.org         4
> > hivemind.apache.org     10
> > incubator.apache.org    355
> > jackrabbit.apache.org   9
> > jakarta.apache.org      39
> > james.apache.org        53
> > jena.apache.org         5
> > juddi.apache.org        3
> > lenya.apache.org        46
> > logging.apache.org      111
> > lucene.apache.org       713
> > manifoldcf.apache.org   112
> > marmotta.apache.org     1
> > maven.apache.org        1623
> > maventest.apache.org    1178
> > mina.apache.org         2
> > mrunit.apache.org       3
> > myfaces.apache.org      348
> > nutch.apache.org        8
> > oltu.apache.org         11
> > oodt.apache.org         1
> > ooo-site.apache.org     1
> > oozie.apache.org        10
> > openjpa.apache.org      20
> > opennlp.apache.org      9
> > pdfbox.apache.org       1
> > pig.apache.org          7
> > pivot.apache.org        1
> > poi.apache.org          1
> > portals.apache.org      35
> > river.apache.org        2
> > santuario.apache.org    1
> > shale.apache.org        55
> > shiro.apache.org        3
> > sling.apache.org        2
> > sqoop.apache.org        4
> > struts.apache.org       190
> > subversion.apache.org   3
> > synapse.apache.org      1
> > syncope.apache.org      2
> > tapestry.apache.org     6
> > tika.apache.org         9
> > tiles.apache.org        12
> > turbine.apache.org      100
> > tuscany.apache.org      4
> > uima.apache.org         12
> > velocity.apache.org     41
> > whirr.apache.org        2
> > wicket.apache.org       3
> > wink.apache.org         13
> > ws.apache.org           22
> > xalan.apache.org        1
> > xerces.apache.org       5
> > xml.apache.org          1
> > xmlbeans.apache.org     3
> > zookeeper.apache.org    18


Mime
View raw message